Virginia Gov. Ralph Northam signed a comprehensive privacy law that gives consumers the right to access their personal data held by companies and allows them to request that it be deleted.
The Virginia law, which goes into effect in January 2023, also requires covered companies to conduct data protection assessments on personal information used for targeted advertising and sales purposes. Its passage gives companies doing business in the United States a second comprehensive state privacy bill to comply with after California passed a privacy law in 2018.
Some privacy advocates praise the Virginia law’s focus on data security. Data protection assessments are a “valuable way” for businesses to understand what data they collect, said Ray Walsh, a digital privacy expert at privacy tool reviews site ProPrivacy.com.
The law’s data security requirement will give companies “a better understanding of what data is being harvested, stored, and processed across the business and for what purposes,” he told the Washington Examiner.
Virginia’s Consumer Data Protection Act applies to companies that conduct business in the state or produce products and services targeted to Virginia residents. In addition, to be covered by the regulations, the business must either control or process the personal data of at least 100,000 consumers during a calendar year or control or process the personal data of 25,000 consumers while deriving at least half of its revenue from the sale of personal data.
The Virginia law is similar to the California Consumer Privacy Act in many ways. Still, the Virginia law is narrower than California’s because it covers consumer data, not employee data, as the CCPA does. Like the Virginia law, the CCPA goes into effect in 2023.
The Virginia law also does not allow private individuals to sue for privacy violations, unlike the California law. The Virginia attorney general can file lawsuits after businesses are given 30 days to fix their privacy infractions.
Many privacy advocates applauded the Virginia bill. Privacy experts suggested that compliance shouldn’t be complex for most companies already focused on the California law and the European Union’s General Data Protection Regulation.
Many companies working on complying with the GDPR or the California law should already have “an infrastructure of a privacy program in place,” said Ray Pathak, vice president of data privacy solutions at Exterro, a compliance software and privacy solutions vendor. Compliance with the Virginia law will involve “tweaking and adjusting their program already in place.”
But companies covered by the Virginia law that haven’t needed to deal with the GDPR or the CCPA will need to work on privacy notices, procedures for collecting and sharing personal data, and risk assessments, he added.
For these companies, the Virginia law “will be a very big lift, and they will need to start as soon as possible to get the program in place because two years is going to fly by,” he told the Washington Examiner.
The data security assessments may be a “burden” for some companies, added Rick Tracy, chief security officer and product manager at Telos Corporation, a cloud security provider. On the positive side, “such laws will offer transparency regarding how personal data is used,” he told the Washington Examiner.
Still, as other states consider privacy laws, a federal standard may be necessary, he added.
“Multiple different state laws will likely create confusion for consumers in states where there is less protection,” he said. “Consumers might think that they are afforded certain protections that may not be part of their states’ privacy laws.”
While a state data privacy bill failed in the Florida Legislature this year, there will be more pressure on Congress to pass a national law as more states move forward, some privacy advocates said.
“Data privacy is a constantly evolving area of the law, and companies are struggling to keep up,” said Michael Williams, a partner at Clym, a compliance software vendor. “In the absence of a mandatory federal law, it’s likely that we’ll see additional states adopt their own legal framework, which will further complicate compliance efforts.”
However, some lawmakers will likely push for a federal law that doesn’t preempt stricter state privacy laws, he told the Washington Examiner. “In that sense, it may eventually look much like the U.S.’s income tax regime, with a federal system affecting all businesses and then states imposing their own rules for companies doing business in that state,” he said.
